feat(auth): add WorkOS + Keycloak SSO providers (P8-001)

- Refactor auth.ts to build OAuth providers array dynamically; extract buildOAuthProviders() for unit-testability - Add WorkOS provider (WORKOS_CLIENT_ID/SECRET/REDIRECT_URI env vars) - Add Keycloak provider with realm-scoped OIDC discovery (KEYCLOAK_URL/REALM/CLIENT_ID/CLIENT_SECRET env vars) - Add genericOAuthClient plugin to web auth-client for signIn.oauth2() - Add WorkOS + Keycloak SSO buttons to login page (NEXT_PUBLIC_*_ENABLED feature flags control visibility) - Update .env.example with SSO provider stanzas - Add 8 unit tests covering all provider inclusion/exclusion paths Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-18 21:17:11 -05:00
parent 25f880416a
commit 254da35300
5 changed files with 235 additions and 31 deletions
--- a/.env.example
+++ b/.env.example
@@ -123,7 +123,24 @@ OTEL_SERVICE_NAME=mosaic-gateway
 # TELEGRAM_GATEWAY_URL=http://localhost:4000


-# ─── Authentik SSO (optional — set AUTHENTIK_CLIENT_ID to enable) ────────────
+# ─── SSO Providers (add credentials to enable) ───────────────────────────────
+
+# --- Authentik (optional — set AUTHENTIK_CLIENT_ID to enable) ---
 # AUTHENTIK_ISSUER=https://auth.example.com/application/o/mosaic/
 # AUTHENTIK_CLIENT_ID=
 # AUTHENTIK_CLIENT_SECRET=
+
+# --- WorkOS (optional — set WORKOS_CLIENT_ID to enable) ---
+# WORKOS_CLIENT_ID=client_...
+# WORKOS_CLIENT_SECRET=sk_live_...
+# WORKOS_REDIRECT_URI=http://localhost:3000/api/auth/callback/workos
+
+# --- Keycloak (optional — set KEYCLOAK_CLIENT_ID to enable) ---
+# KEYCLOAK_URL=https://auth.example.com
+# KEYCLOAK_REALM=master
+# KEYCLOAK_CLIENT_ID=mosaic
+# KEYCLOAK_CLIENT_SECRET=
+
+# Feature flags — set to true alongside provider credentials to show SSO buttons in the UI
+# NEXT_PUBLIC_WORKOS_ENABLED=true
+# NEXT_PUBLIC_KEYCLOAK_ENABLED=true